計算機網(wǎng)絡攻擊和防護技術：第二課 第三課

1、1計算機網(wǎng)絡攻擊和防護技術第二課2HackingUsing ways most people are not aware of用1, 3,4, 6 和任意+,-,*,/, 寫一個等式, 結果為24. Against common thought and what designers intendExample3簡單程序/hacking/booksrc cat firstprog.c #include int main() int i; for(i=0; i gcc firstprog.c /hacking/booksrc ls -l a.out-rwxr-x- 1 wushaow nscn 3

2、6588 Sep 16 18:02 a.out*/hacking/booksrc ./a.outHello World!Hello World!Hello World!Hello World!Hello World!Hello World!Hello World!Hello World!Hello World!Hello World!5簡單程序/hacking/booksrc objdump -D a.out000108c0 : 108c0: 9d e3 bf 88 save %sp, -120, %sp 108c4: 01 00 00 00 nop 108c8: c0 27 bf ec cl

3、r %fp + -20 108cc: d0 07 bf ec ld %fp + -20 , %o0 108d0: 80 a2 20 09 cmp %o0, 9 108d4: 04 80 00 04 ble 108e4 108d8: 01 00 00 00 nop 108dc: 10 80 00 0b b 10908 108e0: 01 00 00 00 nop 108e4: 13 00 00 46 sethi %hi(0 x11800), %o1 108e8: 90 12 62 30 or %o1, 0 x230, %o0 ! 11a30 108ec: 40 00 44 a1 call 21b

4、70 108f0: 01 00 00 00 nop 108f4: d0 07 bf ec ld %fp + -20 , %o0 108f8: 92 02 20 01 add %o0, 1, %o1 108fc: d2 27 bf ec st %o1, %fp + -20 10900: 10 bf ff f3 b 108cc 10904: 01 00 00 00 nop 10908: 81 c7 e0 08 ret 1090c: 81 e8 00 00 restore 6簡單程序Assembly language output will be different on different typ

5、e of computer, compilerObjdump will have more output than shown here7DebuggerDebugger are used by programmers to step through compiled programExamine program memoryView Process registersFind out source of coreGNU development tools include a debugger-GDBA debugger allows a hacker to observe the micro

6、scopic world of machine code8GDB exampleUsing GDB to show the information of a programExample: Intel ArchitectureGeneral Registers: EAX: EBX: ECX: EDX: Pointers and Index RegistersESP: Stack PointerEBP: Base pointerESI: Source IndexEDI: Destination indexEIP: Instruction pointerEFLAGS: several bits f

7、lags that are used for comparisions and memory segmentspg_17.pdf9Assembly LanguageList the source codeDisassembly the source codeassembly_main.pdf10Assembly Languagei r eipInfo register eipCommand x: examineExamining memoryExample: (gdb) x/8xwx_command.pdfEndian11Assembly LanguageCommand x: examineE

8、xamining memory instruction x/iExample: (gdb) x/8ix_command_i.pdf12Memory SegmentsA compiled program is divided into five segmentsText: code segmentNot writableData: initialized global and static variablesWritable, fixed sizeBSS: uninitlized global and static variablesWritable, fixed sizeHeap: memor

9、y that can be controlled by program directlyVariable sizeStack: temporary scratch pad to store local variablesVariable sizeStack framememory_segment.pdf13Memory Segments in CText: compiled code go into text segmentNot writableData: initialized global and static variablesWhat is static keyword?Static

10、 variable in a file will be in local file scopeStatic in a function will be a static value inside the functionGlobal variables defined in file scope without any static declaration) is a global variableDefault is globalWritable, fixed sizeBSS: uninitialized global and static variablesWritable, fixed

11、sizeHeap: memory that can be controlled by program directlyVariable sizeMemory on heap memory must first allocated by using malloc()Used pointer to refer to memory allocatedMemory on heap memory must be freed after use using free()Dynamic memory allocationStack: temporary scratch pad to store local

12、variablesVariable sizeFunction variables are stored in the stack memoryStack framememory_segment_c.pdf14Stack FrameLocal data 2Local data 1Save frame pointer(SFP)Return address (ret)Caller framelow addressTop of Stackhigh addressFrame Pointer (EBP)Stack Growth15Using HeapHeap: memory that can be con

13、trolled by program directlyVariable sizeMemory on heap memory must first allocated by using malloc()Used pointer to refer to memory allocatedNeed to check the return pointer, if null, need to handle errorReturn value is a null pointerMemory on heap memory must be freed after use, using free()Dynamic

14、 memory allocationusing_heap.pdf16User IDsEvery User on a Unix/Linux system has a unique user ID numberUsing id command/hacking/booksrc id wushaowuid=8249(wushaow) gid=893(nscn)/hacking/booksrc id rootuid=0(root) gid=1(other)root user (with id 0) is like the administrator accountsu command can be us

15、ed to switch to different usersudo command allows a single command to be run as the root userSetuser id (setuid) Additional file permission bit that can be set using chmodRunning program has both a real user id and an effective user IDgetuid(): get real user idgeteuid() get effective user id One of

16、the goal of hacking is to get the right of root.17Process Operations and IDsRootID=0 for superuser root; can access any fileFork and ExecInherit three IDs, except exec of file with setuid bitSetuid system calls seteuid(newid) can set EUID toReal ID or saved ID, regardless of current EUIDAny ID, if E

17、UID=0Details are actually more complicatedSeveral different calls: setuid, seteuid, setreuid18Setid bits on executable Unix fileThree setid bitsSetuid set EUID of process to ID of file ownerSetgid set EGID of process to GID of fileStickyOff: if user has write permission on directory, can rename or r

18、emove files, even if not ownerOn: only file owner, directory owner, and root can rename or remove file in the directory19Example;exec( );RUID 25SetUIDprogram;i=getruid()setuid(i);RUID 25EUID 18RUID 25EUID 25-rw-r-r-file-rw-r-r-fileOwner 18Owner 25read/writeread/writeOwner 1820Compare to stack inspec

19、tionCareful with Setuid !Can do anything that owner of file is allowed to doBe sure not toTake action for untrusted userReturn secret data to untrusted userA1B1C1Note: anything possible if root; no middle ground between user and root21Setuid programmingBe Careful!Root can do anything; don t get tric

20、kedPrinciple of least privilege change EUID when root privileges no longer neededSetuid scriptsThis is a bad ideaHistorically, race conditionsBegin executing setuid program; change contents of program before it loads and is executed22Unix summaryGood thingsSome protection from most usersFlexible eno

21、ugh to make things possibleMain bad thingToo tempting to use root privilegesNo way to assume some root privileges without all root privileges23計算機網(wǎng)絡攻擊和防護技術第三課24Overview of the 80 x86 Family Assembly LanguageNumbers1 BIT: 0 1 NIBBLE: 0000 4 BITS 1 BYTE 00000000 2 NIBBLES, 8 BITS HALF WORD 00000000000

22、00000 2 BYTES, 4 NIBBLES, 16 BITS1 WORD 0000000000000000 0000000000000000 4 bytes, 32 bits25Intel Registers General purpose registersEAX: Accumulator RegisterEBX: Base register ECX: Counter registerEDX: Data registerIndex registerspointer registers and they are 32-bit registers. mainly used for stri

23、ng instructionsEDI: destination index ESI: source index EIP: instruction pointer, point to the current instruction the process is readingStack registersEBP and ESP are stack registers and are used when dealing with the stackESP: stack pointerEBP: stack base pointerEFLAGSSeveral bits flag that are us

24、ed for comparisons and memory segmentsCan be ignored most time since no direct access needed. Segment registersEDS stores the Segment and ESI stores the offset 26Stack Review27Assembly Instructions Move instructionsmov eax,10 ; /*put 10 into eax */mov ebx,20 ; /*put 20 into ebx */mov ecx,30 ; /*put

25、30 into ecx */mov edx,40 ; /*put 40 into edx */in assembler anything after a ; (semicolon) is ignored. very useful for commenting your code. 28Assembly Instructions Move instructionsmov eax,10 ; /*put 10 into eax */mov ebx,20 ; /*put 20 into ebx */mov ecx,30 ; /*put 30 into ecx */mov edx,40 ; /*put

26、40 into edx */Notice that in assembler anything after a ; (semicolon) is ignored. This is very useful for commenting your code. 29Assembly Instructions Push and Pop: Two Instructions to use the StackPUSH: Puts a piece of data onto the top of the stack Syntax: push dataPOP: Puts the piece of data fro

27、m the top of the stack into a specified register or variable. Syntax: pop register (or variable) Example;push ecx ; /*put ecx on the stack */push eax ; /*put eax on the stack */pop ecx ; /*put value from stack into ecx */pop eax ; /*put value from stack into eax */ 30Types of OperandImmediatenumber

28、which will be known at compilation and will always be the sameexample 20 or A.Registerany general purpose or index register example EAX or ESIMemorya variable which is stored in memory 31InstructionsMOV: moves a value from one place to another.MOV destination, sourcemov ax,10 ; /*moves an immediate

29、value into eax*/.mov ebx,ecx ; /*moves value from cx into ebx */mov edx, 10 ; /*moves the value of Number into edx*/ INT: calls a Interrupt processing subroutingINT interrupt numberint 21h ; /*Calls DOS service*/ int 10h ; /*Calls the Video BIOS interrupt*/32Control Flowjmp label jmp ALabel . . . AL

30、abel:JA Jumps if the first number was above the second numberJAE same as above, but will also jump if they are equalJB jumps if the first number was below the secondJBE Same as above, but will also jump if they are equalJNA jumps if the first number was NOT above (JBE)JNAE jumps if TDe first number

31、was NOT above or TDe same as (JNB)JNB jumps if the first number was NOT below (JAE) JNBE jumps if the first number was NOT below or the same as (JA)JZ jumps if the two numbers were equalJE same as JZ, just a different nameJNZ jumps if the two numbers are NOT equalJNE same as aboveJC jump if carry fl

32、ag is set CMP: compare a value Syntax: CMP register or variable, value jxx destination 33Important instructionsADD operand1,operand2 adds operand2 to operand1. The answer is stored in operand1Immediate data cannot be used as operand1 but can be used as operand2. SUB operand1,operand2 subtracts opera

33、nd2 from operand1. Immediate data cannot be used as operand1 but can be used as operand2xorIncdecMUL: Multiplies two unsigned integers (always positive)IMUL: Multiplies two signed integers (either positive or negitive) DIV: Divides two unsigned integers (always positive) IDIV: Divides two signed int

34、egers (either positive or negitive) 34ExploitationProgram is designed by people to follow the predefined flowExploitation is used the clever way to let the program do what you want to do, not what the designer/ proggramer want itLaMacChia LoopholeUS leagal system loophole1993 MIT student David LaMac

35、chia (Hacker)35ExploitationMost program exploits has to do with Memory corruptionTake control of running programs flow and hijack it to run the marlious codeExecution of arbitrary codeExample:Buffer overflowHeap overflowFormat string exploitsInteger overflow36Buffer OverflowsC is unsafe languageOnce

36、 memory is allocated, no safe-guard to ensure data to be stored in the allocated memory only.buffer_overflow.pdfstrcpy(searchingstring, argv1);37Using scrip to make attack easierBASH SHELLPerlCommon to most Unix based machineTell Perl to execute the commands found beteen single quotes/hacking/booksr

37、c perl -e print A x20;AAAAAAAAAAAAAAAAAAAAAny character, can use x# hexadecimal value of the characterCan apply to non-printable character too. A = 0 x41, so can use x41/hacking/booksrc perl -e print x41 x20; AAAAAAAAAAAAAAAAAAAA38Perl String concatString concatenation can be done in Perl with a per

38、iod /hacking/booksrcperl -e print A x20 . BCD . x61x66x67x69 x2 . Z AAAAAAAAAAAAAAAAAAAABCDafgiafgiZShell command can be executed like a function, using $() formatperl_example.pdfCommand substitution and Perl can be used in combination to quickly generate overflow buffer in fly.39ShellcodeShellcodeO

39、verflow a buffer into the return addressInject own instructions intommemory and then return the execution thereOriginal meaning: spawn a shell (rootshell) used to control the machineExtends to spawn a method that can be used to control the machineOpen connect back portshellcode_example.pdfWhen a new instruction can be injected in and execution can be controlled with a buffer overflow, the original design is voidAllow programs to do things i